[ Technical Teardown: HongKong Protest Malware ]

[ How it starts ]
It all started when we saw Tsui Lokman mentioned about an executable that they received and it could be a malware.
This particular piece of malware could potentially be used to target Hongkongers participating in #OccupyCentral & #UmbrellaMovement .
Being the curious cat(s), we started asking for a copy of it to analyse it.

[ Analysis of Dropper ]
1) The executable is being camouflaged as an adobe executable (pdf viewer) by using an adobe icon as shown here.
Image 1 : Screenshot of Dropper

A Microsoft Excel Icon is also found in the executable as well (using resource hacker tool). However the icon is not used at all. Probably there is another version of the dropper that disguise itself as a Excel document.

Image 2 : Extra icon using ResHacker

2) Upon execution of the dropper, the malware copied itself to C:\Documents and Settings\Administrator\Application Data\WMService.exe. The path that the malware copied to varies depending on the operating system versions. For Win XP, the path would be [drive]:\Documents and Settings\[User Name]\Application Data\WMService.exe] while for vista and above the path would be [drive]:\Users\[User Name]\AppData\Roaming\WMService.exe.

Image 3 : Screenshot of Dropped location

The first function of interest when running the malware is the decryption of the encrypted strings in the program. @address 00403E9A we can see that there is a function call to address 00401F70.

Image 4 : List of Encoded Strings

From the above assembly codes, we can see several encrypted strings. Note that there are several calls to function 00401AAE. This function is called to decrypt the encrypted strings. Instead of going through the decryption routine… my approach is to use ollydbg to help me to decrypt the strings in runtime as shown below.

Image 5 : List of Decoded Strings

now we can make a better educated guess on what the malware is doing with the decrypted string. Previously IDA Pro strings did not really churn out any useful strings for us but with the decrypted strings we can see the evil server domain name.

Moving on we can see that after the decryption routine, an argument -st is supplied to the executable.
On analyzing the dropper via IDA Pro, the dropper has 2 distinct paths.
1 of the paths (Path A) is taken when an -st argument is not supplied when executing the dropper while the other path (Path B) is taken when -st argument is supplied to the binary.
Path A is taken when the dropper is first executed by the user in which no arguments is passed in to the process. Path B is taken when the system boots up and execute the dropper via registry’s run in which an argument is provided to the process.

Image 6 : 2 Paths of Malware

[ Analysis of Path A ]

At address 00403FAF we can see that a function @00403B55 is being called. This function forms the cmd.exe’s command and execute it as shown below.

After execution, the dropper “deletes” itself by moving itself to C:\Documents and Settings\Administrator\Application Data\WMService.exe via c:\windows\system32\cmd.exe.

Image 8 : Command Line to “Move” Malware to another location

[ Analysis of Path B ]

The first thing that Path B does was to create a Mutex object with the name “c8aabdc4” using CreateMutex function. In the event that the mutex already exists, the program will terminate.

Image 9 : Creation of MutexName

The mutex is used to prevent 2 of such process running at the same time. The malware then continues to call function at address 0040264A where it gets the computer name and internal IP address of the computer.

Next GetTempPathA is called to form the path C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s.bin which is used as the destination file path of the actual payload.

The function at address 00403D60 takes in the domain name www.sslquery.myz.info:443 and resolve it to an IP address – 113.10.245.133.

Image 10 : Possibly C&C of Malware

Function 00402350 is called to form the Get Request to the C&C server. In the function we can see that computer name and internal IP address as shown below.

Image 11 : Data that are sent back to C&C

The appended information gotten from the victim are encoded and appended to the URL.

URLDownloadToFileA is then called to upload user info and download the payload from the url below:

However at the time of analyzing the sample, the server was already down…

Image 12 : Download URL of another payload

should the actual payload (s.bin) exists we would expect that the first byte of the downloaded payload is the type of command to execute as shown in the switch statement below. The function responsible for reading the commands from the downloaded payload is at address 00402553.

Image 13 : List of Commands for Malware

Based on the above switch statements, we can observe that the payload downloaded is in fact commands to be executed on the machine. We do not really need to download and analyze the payload to know what it is doing. The functions that the malware can perform are reading files, upload file to server, executing commands, delete file, find file and retrieving logical drive info.

Once the command to the malware is executed, the instruction file, s.bin, is deleted.

As we can see in the image below, the malware would call back to its server every hourly and retrieve new commands to execute.

Image 14 : Hourly Sleep

[ Dropping of Persistent Backdoor ]
Earlier on, we have mentioned that the malware added an entry to the registry. This registry key is added for persistence.Location: HKCU\Software\Microsoft\Windows\CurrentVersion\RunName: HotkeyValue: C:\Documents and Settings\Administrator\Application Data\WMService.exe -st

You may find a screen shot of this at [ Analysis of Path A ] section

[ Anti Analysis Features ]
The author of this malware implemented time delay in the program possibly for the purpose of evading anti virus detection. It is known that anti virus executes program to detect for malicious codes however it would only execute the program for a short period of time. A time delay approach could potentially evades such scanning.

Using breakpoint in OllyDbg, we observed that IsDebuggerPresent is used to detect if a debugger is attached to the dropper. However there is no difference in the core operations even if the dropper detects that a debugger is present.

[ Whois Investigation ]
A quick Whois query using CentralOps revealed that the domain name (www.sslquery.myz.info) is also pointing to the IP address (113.10.245.133) which
we have had also found it earlier in the binary. As myz.info is a “Free Dynamic DNS” service offered by ChangeIP.com, the infiltrator can change the IP address easily without affecting the callback.

However the server is currently inactive. (Information correct as of 22/10/2014)